RODC and Writable DC in the same site

Marcus Wong Theen Nam 1,111 Reputation points
2021-11-10T09:45:34.82+00:00

I have 1 RODC currently in site A, now I would like to add in another Writable DC into site A and then when new writable DC is up then I will demote the RODC.

So Im wondering can I add RODC and Writable DC in the same AD site? Will there be any authentication issue or conflict occur?

Thank you.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,093 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,547 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Gary Reynolds 9,416 Reputation points
    2021-11-10T10:29:05.457+00:00

    Hi,

    You can have a RODC and Writable DC in the same site, authentication requests can be serviced by either DC. If there is a write request, the request will be serviced by the writable DC. The netlogon DsGetDcName function is used to find a suitable writable DC using the DS_WRITABLE_FLAG.

    Gary.

    0 comments No comments

  2. Mukesh Agarwal 15 Reputation points
    2023-10-17T18:03:35.83+00:00

    It is not recommended to keep RODC with writable DC. You can keep both of them together but it does not mean you should do it. You can jump from 20th floor of a building does not mean you should jump from it.

    Let me explain why:

    RODC does not have krbtgt account password, instead it has it's own krbtgt_xxxx password which it uses to encrypt TGTs. If a user who has a TGT from writable, reaches an RODC for service ticket and provies the TGT, RODC can't decrypt it as it is signed by krbtgt account which it does not have. Althgouh, it is not a fatal error and the client does another request against the DC.

    This process will create more bandwidth and may result in delay in application access.

    Also, keeping RODC with writable just does not serve the purpose. RODC were introduced to keep in a site where you have less physical security.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.